Fix critical memory issues

jserv · jserv · commit 9220ffb41505 · 2025-10-02T04:27:10.000+08:00
This adds proper NULL checks for all critical malloc/calloc/mpool_alloc
calls that previously relied solely on assert(), which compiles out in
production builds with -DNDEBUG.

It also resolves critical memory safety issues found  that could allow
guest code to corrupt host memory or cause crashes.
- Fix potential integer underflow in memcpy length calculation
- Add validation that args[0] length exceeds 7 before subtraction
- Add bounds checking in memset_handler to validate dest and count
- Add bounds checking in memcpy_handler for both src and dest
- Prevent guest code from writing to arbitrary host memory addresses
- Raise traps (STORE_MISALIGNED/LOAD_MISALIGNED) on violations
- Reading arbitrary host memory via out-of-bounds memcpy source
- Writing arbitrary host memory via out-of-bounds memcpy/memset dest
- Causing host crashes via integer overflow in size calculations
diff --git a/src/cache.c b/src/cache.c
@@ -285,6 +285,17 @@ void *cache_put(cache_t *cache, uint32_t key, void *value)
     }
 
     cache_entry_t *new_entry = calloc(1, sizeof(cache_entry_t));
+    if (unlikely(!new_entry)) {
+        /* Allocation failed - restore replaced entry if exists */
+        if (replaced) {
+            replaced->alive = true;
+            list_del_init(&replaced->list);
+            list_add(&replaced->list, &cache->list);
+            cache->size++;
+            cache->ghost_list_size--;
+        }
+        return NULL;
+    }
     assert(new_entry);
 
     INIT_LIST_HEAD(&new_entry->list);
diff --git a/src/emulate.c b/src/emulate.c
@@ -273,6 +273,8 @@ HASH_FUNC_IMPL(map_hash, BLOCK_MAP_CAPACITY_BITS, 1 << BLOCK_MAP_CAPACITY_BITS)
 static block_t *block_alloc(riscv_t *rv)
 {
     block_t *block = mpool_alloc(rv->block_mp);
+    if (unlikely(!block))
+        return NULL;
     assert(block);
     block->n_insn = 0;
 #if RV32_HAS(JIT)
@@ -619,13 +621,15 @@ FORCE_INLINE bool insn_is_indirect_branch(uint8_t opcode)
     }
 }
 
-static void block_translate(riscv_t *rv, block_t *block)
+static bool block_translate(riscv_t *rv, block_t *block)
 {
 retranslate:
     block->pc_start = block->pc_end = rv->PC;
 
     rv_insn_t *prev_ir = NULL;
     rv_insn_t *ir = mpool_calloc(rv->block_ir_mp);
+    if (unlikely(!ir))
+        return false;
     block->ir_head = ir;
 
     /* translate the basic block */
@@ -665,6 +669,8 @@ static void block_translate(riscv_t *rv, block_t *block)
         if (insn_is_branch(ir->opcode)) {
             if (insn_is_indirect_branch(ir->opcode)) {
                 ir->branch_table = calloc(1, sizeof(branch_history_table_t));
+                if (unlikely(!ir->branch_table))
+                    return false;
                 assert(ir->branch_table);
                 memset(ir->branch_table->PC, -1,
                        sizeof(uint32_t) * HISTORY_SIZE);
@@ -673,36 +679,44 @@ static void block_translate(riscv_t *rv, block_t *block)
         }
 
         ir = mpool_calloc(rv->block_ir_mp);
+        if (unlikely(!ir))
+            return false;
     }
 
     assert(prev_ir);
     block->ir_tail = prev_ir;
     block->ir_tail->next = NULL;
+    return true;
 }
 
 #if RV32_HAS(MOP_FUSION)
-#define COMBINE_MEM_OPS(RW)                                       \
-    next_ir = ir->next;                                           \
-    count = 1;                                                    \
-    while (1) {                                                   \
-        if (next_ir->opcode != IIF(RW)(rv_insn_lw, rv_insn_sw))   \
-            break;                                                \
-        count++;                                                  \
-        if (!next_ir->next)                                       \
-            break;                                                \
-        next_ir = next_ir->next;                                  \
-    }                                                             \
-    if (count > 1) {                                              \
-        ir->opcode = IIF(RW)(rv_insn_fuse4, rv_insn_fuse3);       \
-        ir->fuse = malloc(count * sizeof(opcode_fuse_t));         \
-        assert(ir->fuse);                                         \
-        ir->imm2 = count;                                         \
-        memcpy(ir->fuse, ir, sizeof(opcode_fuse_t));              \
-        ir->impl = dispatch_table[ir->opcode];                    \
-        next_ir = ir->next;                                       \
-        for (int j = 1; j < count; j++, next_ir = next_ir->next)  \
-            memcpy(ir->fuse + j, next_ir, sizeof(opcode_fuse_t)); \
-        remove_next_nth_ir(rv, ir, block, count - 1);             \
+#define COMBINE_MEM_OPS(RW)                                           \
+    next_ir = ir->next;                                               \
+    count = 1;                                                        \
+    while (1) {                                                       \
+        if (next_ir->opcode != IIF(RW)(rv_insn_lw, rv_insn_sw))       \
+            break;                                                    \
+        count++;                                                      \
+        if (!next_ir->next)                                           \
+            break;                                                    \
+        next_ir = next_ir->next;                                      \
+    }                                                                 \
+    if (count > 1) {                                                  \
+        ir->opcode = IIF(RW)(rv_insn_fuse4, rv_insn_fuse3);           \
+        ir->fuse = malloc(count * sizeof(opcode_fuse_t));             \
+        if (unlikely(!ir->fuse)) {                                    \
+            ir->opcode = IIF(RW)(rv_insn_lw, rv_insn_sw);             \
+            count = 1; /* Degrade to non-fused operation */           \
+        } else {                                                      \
+            assert(ir->fuse);                                         \
+            ir->imm2 = count;                                         \
+            memcpy(ir->fuse, ir, sizeof(opcode_fuse_t));              \
+            ir->impl = dispatch_table[ir->opcode];                    \
+            next_ir = ir->next;                                       \
+            for (int j = 1; j < count; j++, next_ir = next_ir->next)  \
+                memcpy(ir->fuse + j, next_ir, sizeof(opcode_fuse_t)); \
+            remove_next_nth_ir(rv, ir, block, count - 1);             \
+        }                                                             \
     }
 
 static inline void remove_next_nth_ir(const riscv_t *rv,
@@ -762,16 +776,20 @@ static void match_pattern(riscv_t *rv, block_t *block)
                     next_ir = next_ir->next;
                 }
                 if (count > 1) {
-                    ir->opcode = rv_insn_fuse1;
                     ir->fuse = malloc(count * sizeof(opcode_fuse_t));
-                    assert(ir->fuse);
-                    ir->imm2 = count;
-                    memcpy(ir->fuse, ir, sizeof(opcode_fuse_t));
-                    ir->impl = dispatch_table[ir->opcode];
-                    next_ir = ir->next;
-                    for (int j = 1; j < count; j++, next_ir = next_ir->next)
-                        memcpy(ir->fuse + j, next_ir, sizeof(opcode_fuse_t));
-                    remove_next_nth_ir(rv, ir, block, count - 1);
+                    if (likely(ir->fuse)) {
+                        ir->opcode = rv_insn_fuse1;
+                        assert(ir->fuse);
+                        ir->imm2 = count;
+                        memcpy(ir->fuse, ir, sizeof(opcode_fuse_t));
+                        ir->impl = dispatch_table[ir->opcode];
+                        next_ir = ir->next;
+                        for (int j = 1; j < count; j++, next_ir = next_ir->next)
+                            memcpy(ir->fuse + j, next_ir,
+                                   sizeof(opcode_fuse_t));
+                        remove_next_nth_ir(rv, ir, block, count - 1);
+                    }
+                    /* If malloc failed, degrade gracefully to non-fused ops */
                 }
                 break;
             }
@@ -803,15 +821,18 @@ static void match_pattern(riscv_t *rv, block_t *block)
             }
             if (count > 1) {
                 ir->fuse = malloc(count * sizeof(opcode_fuse_t));
-                assert(ir->fuse);
-                memcpy(ir->fuse, ir, sizeof(opcode_fuse_t));
-                ir->opcode = rv_insn_fuse5;
-                ir->imm2 = count;
-                ir->impl = dispatch_table[ir->opcode];
-                next_ir = ir->next;
-                for (int j = 1; j < count; j++, next_ir = next_ir->next)
-                    memcpy(ir->fuse + j, next_ir, sizeof(opcode_fuse_t));
-                remove_next_nth_ir(rv, ir, block, count - 1);
+                if (likely(ir->fuse)) {
+                    assert(ir->fuse);
+                    memcpy(ir->fuse, ir, sizeof(opcode_fuse_t));
+                    ir->opcode = rv_insn_fuse5;
+                    ir->imm2 = count;
+                    ir->impl = dispatch_table[ir->opcode];
+                    next_ir = ir->next;
+                    for (int j = 1; j < count; j++, next_ir = next_ir->next)
+                        memcpy(ir->fuse + j, next_ir, sizeof(opcode_fuse_t));
+                    remove_next_nth_ir(rv, ir, block, count - 1);
+                }
+                /* If malloc failed, degrade gracefully to non-fused ops */
             }
             break;
         }
@@ -881,8 +902,11 @@ static block_t *block_find_or_translate(riscv_t *rv)
 #endif
     /* allocate a new block */
     next_blk = block_alloc(rv);
+    if (unlikely(!next_blk))
+        return NULL;
 
-    block_translate(rv, next_blk);
+    if (unlikely(!block_translate(rv, next_blk)))
+        return NULL;
 
 #if RV32_HAS(JIT) && RV32_HAS(SYSTEM)
     /*
@@ -1129,6 +1153,10 @@ void rv_step(void *arg)
         else if (!block->compiled && block->n_invoke >= THRESHOLD) {
             block->compiled = true;
             queue_entry_t *entry = malloc(sizeof(queue_entry_t));
+            if (unlikely(!entry)) {
+                /* Malloc failed - degrade to tier-1 JIT, don't queue for T2C */
+                continue;
+            }
             entry->block = block;
             pthread_mutex_lock(&rv->wait_queue_lock);
             list_add(&entry->list, &rv->wait_queue);
@@ -1378,16 +1406,38 @@ void ecall_handler(riscv_t *rv)
 void memset_handler(riscv_t *rv)
 {
     memory_t *m = PRIV(rv)->mem;
-    memset((char *) m->mem_base + rv->X[rv_reg_a0], rv->X[rv_reg_a1],
-           rv->X[rv_reg_a2]);
+    uint32_t dest = rv->X[rv_reg_a0];
+    uint32_t value = rv->X[rv_reg_a1];
+    uint32_t count = rv->X[rv_reg_a2];
+
+    /* Bounds checking to prevent buffer overflow */
+    if (dest >= m->mem_size || count > m->mem_size - dest) {
+        SET_CAUSE_AND_TVAL_THEN_TRAP(rv, STORE_MISALIGNED, dest);
+        return;
+    }
+
+    memset((char *) m->mem_base + dest, value, count);
     rv->PC = rv->X[rv_reg_ra] & ~1U;
 }
 
 void memcpy_handler(riscv_t *rv)
 {
     memory_t *m = PRIV(rv)->mem;
-    memcpy((char *) m->mem_base + rv->X[rv_reg_a0],
-           (char *) m->mem_base + rv->X[rv_reg_a1], rv->X[rv_reg_a2]);
+    uint32_t dest = rv->X[rv_reg_a0];
+    uint32_t src = rv->X[rv_reg_a1];
+    uint32_t count = rv->X[rv_reg_a2];
+
+    /* Bounds checking to prevent buffer overflow */
+    if (dest >= m->mem_size || count > m->mem_size - dest) {
+        SET_CAUSE_AND_TVAL_THEN_TRAP(rv, STORE_MISALIGNED, dest);
+        return;
+    }
+    if (src >= m->mem_size || count > m->mem_size - src) {
+        SET_CAUSE_AND_TVAL_THEN_TRAP(rv, LOAD_MISALIGNED, src);
+        return;
+    }
+
+    memcpy((char *) m->mem_base + dest, (char *) m->mem_base + src, count);
     rv->PC = rv->X[rv_reg_ra] & ~1U;
 }
 
diff --git a/src/io.c b/src/io.c
@@ -23,6 +23,8 @@ memory_t *memory_new(uint32_t size)
         return NULL;
 
     memory_t *mem = malloc(sizeof(memory_t));
+    if (!mem)
+        return NULL;
     assert(mem);
 #if HAVE_MMAP
     data_memory_base = mmap(NULL, size, PROT_READ | PROT_WRITE,
diff --git a/src/jit.c b/src/jit.c
@@ -2330,7 +2330,10 @@ void jit_translate(riscv_t *rv, block_t *block)
 struct jit_state *jit_state_init(size_t size)
 {
     struct jit_state *state = malloc(sizeof(struct jit_state));
+    if (!state)
+        return NULL;
     assert(state);
+
     state->offset = 0;
     state->size = size;
     state->buf = mmap(0, size, PROT_READ | PROT_WRITE | PROT_EXEC,
@@ -2340,13 +2343,32 @@ struct jit_state *jit_state_init(size_t size)
 #endif
                       ,
                       -1, 0);
-    state->n_blocks = 0;
+    if (state->buf == MAP_FAILED) {
+        free(state);
+        return NULL;
+    }
     assert(state->buf != MAP_FAILED);
+
+    state->n_blocks = 0;
     set_reset(&state->set);
     reset_reg();
     prepare_translate(state);
+
     state->offset_map = calloc(MAX_BLOCKS, sizeof(struct offset_map));
+    if (!state->offset_map) {
+        munmap(state->buf, state->size);
+        free(state);
+        return NULL;
+    }
+
     state->jumps = calloc(MAX_JUMPS, sizeof(struct jump));
+    if (!state->jumps) {
+        free(state->offset_map);
+        munmap(state->buf, state->size);
+        free(state);
+        return NULL;
+    }
+
     return state;
 }
 
diff --git a/src/main.c b/src/main.c
@@ -177,20 +177,29 @@ static bool parse_args(int argc, char **args)
         assert(getcwd(cwd_path, PATH_MAX));
 
         char rel_path[PATH_MAX] = {0};
-        memcpy(rel_path, args[0], strlen(args[0]) - 7 /* strlen("rv32emu") */);
+        size_t args0_len = strlen(args[0]);
+        /* Ensure args[0] is long enough before subtracting */
+        if (args0_len > 7) { /* strlen("rv32emu") */
+            size_t copy_len = args0_len - 7;
+            if (copy_len >= PATH_MAX)
+                copy_len = PATH_MAX - 1;
+            memcpy(rel_path, args[0], copy_len);
+            rel_path[copy_len] = '\0';
+        }
 
         char *prog_basename = basename(opt_prog_name);
-        prof_out_file = malloc(strlen(cwd_path) + 1 + strlen(rel_path) +
-                               strlen(prog_basename) + 5 + 1);
+        size_t total_len = strlen(cwd_path) + 1 + strlen(rel_path) +
+                           strlen(prog_basename) + 5 + 1;
+        prof_out_file = malloc(total_len);
         assert(prof_out_file);
 
-        sprintf(prof_out_file, "%s/%s%s.prof", cwd_path, rel_path,
-                prog_basename);
+        snprintf(prof_out_file, total_len, "%s/%s%s.prof", cwd_path, rel_path,
+                 prog_basename);
     }
     return true;
 }
 
-static void dump_test_signature(const char *prog_name)
+static void dump_test_signature(const char UNUSED *prog_name)
 {
     elf_t *elf = elf_new();
     assert(elf && elf_open(elf, prog_name));
diff --git a/src/riscv.c b/src/riscv.c
diff --git a/src/syscall.c b/src/syscall.c
